aws

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 36 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// ResourceTypeRole is the resource type for an AWS IAM role.
	ResourceTypeRole = "role"
	// ResourceTypeAssumedRole is the resource type for an AWS IAM assumed role.
	ResourceTypeAssumedRole = "assumed-role"
	// ResourceTypeUser is the resource type for an AWS IAM user.
	ResourceTypeUser = "user"
)
View Source 
const (
	// PolicyVersion is default IAM policy version.
	PolicyVersion = "2012-10-17"
	// EffectAllow is the Allow IAM policy effect.
	EffectAllow = "Allow"
	// EffectDeny is the Deny IAM policy effect.
	EffectDeny = "Deny"
)
View Source 
const (
	// TagKeyTeleportCreated defines a tag key that indicates the the cloud
	// resource is created by Teleport.
	TagKeyTeleportCreated = "teleport.dev/created"

	// TagKeyTeleportManaged defines a tag key that indicates the the cloud
	// resource is being managed by Teleport.
	TagKeyTeleportManaged = "teleport.dev/managed"

	// TagValueTrue is the tag value "true" in string format.
	TagValueTrue = "true"
)

Variables

This section is empty.

Functions

func AddMetadataLabels 

func AddMetadataLabels(labels map[string]string, accountID, region string)

AddMetadataLabels adds the AccountID and Region as labels.

func ConvertIAMError 

func ConvertIAMError(err error) error

ConvertIAMError converts common errors from IAM clients to trace errors.

func ConvertIAMv2Error 

func ConvertIAMv2Error(err error) error

ConvertIAMv2Error converts common errors from IAM clients to trace errors.

func ConvertLoadConfigError 

func ConvertLoadConfigError(configErr error) error

ConvertLoadConfigError converts common AWS config loading errors to trace errors.

func ConvertRequestFailureError 

func ConvertRequestFailureError(err error) error

ConvertRequestFailureError converts `error` into AWS RequestFailure errors to trace errors. If the provided error is not an `RequestFailure` it returns the error without modifying it.

func IsTagValueTrue 

func IsTagValueTrue(value string) bool

IsTagValueTrue checks whether a tag value is true.

func LabelsToRDSV2Tags 

func LabelsToRDSV2Tags(labels map[string]string) []rdsTypesV2.Tag

LabelsToRDSV2Tags converts labels into rdsTypesV2.Tag list.

func LabelsToTags 

func LabelsToTags[T any, PT SettableTag[T]](labels map[string]string) (tags []*T)

LabelsToTags converts a label map to a list of AWS resource tags.

func TagsToLabels 

func TagsToLabels[Tag ResourceTag](tags []Tag) map[string]string

TagsToLabels converts a list of AWS resource tags to a label map.

Types

type ExternalAuditStoragePolicyConfig 

type ExternalAuditStoragePolicyConfig struct {
	// Partition is the AWS partition to use.
	Partition string
	// Region is the AWS region to use.
	Region string
	// Account is the AWS account ID to use.
	Account string
	// S3ARNs is a list of all S3 resource ARNs used for audit events, session
	// recordings, and Athena query results. For each location, it should include an ARN for the
	// base bucket and another wildcard ARN for all objects within the bucket
	// and an optional path/prefix.
	S3ARNs []string
	// AthenaWorkgroupName is the name of the Athena workgroup used for queries.
	AthenaWorkgroupName string
	// GlueDatabaseName is the name of the AWS Glue database.
	GlueDatabaseName string
	// GlueTabelName is the name of the AWS Glue table.
	GlueTableName string
}

ExternalAuditStoragePolicyConfig holds options for the External Audit Storage IAM policy.

func (*ExternalAuditStoragePolicyConfig) CheckAndSetDefaults 

func (c *ExternalAuditStoragePolicyConfig) CheckAndSetDefaults() error

type Identity 

type Identity interface {
	// GetName returns the identity name.
	GetName() string
	// GetAccountID returns the AWS account ID the identity belongs to.
	GetAccountID() string
	// GetPartition returns the AWS partition the identity resides in.
	GetPartition() string
	// GetType returns the identity resource type.
	GetType() string
	// Stringer provides textual representation of identity.
	fmt.Stringer
}

Identity represents an AWS IAM identity such as user or role.

func GetIdentityWithClient 

func GetIdentityWithClient(ctx context.Context, stsClient stsiface.STSAPI) (Identity, error)

GetIdentityWithClient determines AWS identity of this Teleport process using the provided STS API client.

func IdentityFromArn 

func IdentityFromArn(arnString string) (Identity, error)

IdentityFromArn returns an `Identity` interface based on the provided ARN.

type InstanceMetadataClient 

type InstanceMetadataClient struct {
	// contains filtered or unexported fields
}

InstanceMetadataClient is a wrapper for an imds.Client.

func NewInstanceMetadataClient 

func NewInstanceMetadataClient(ctx context.Context, opts ...InstanceMetadataClientOption) (*InstanceMetadataClient, error)

NewInstanceMetadataClient creates a new instance metadata client.

func (*InstanceMetadataClient) GetAccountID 

func (client *InstanceMetadataClient) GetAccountID(ctx context.Context) (string, error)

func (*InstanceMetadataClient) GetHostname 

func (client *InstanceMetadataClient) GetHostname(ctx context.Context) (string, error)

GetHostname gets the hostname set by EC2 that Teleport should use, if any.

func (*InstanceMetadataClient) GetID 

func (client *InstanceMetadataClient) GetID(ctx context.Context) (string, error)

GetID gets the EC2 instance's ID.

func (*InstanceMetadataClient) GetLocalIPV4 

func (client *InstanceMetadataClient) GetLocalIPV4(ctx context.Context) (string, error)

GetLocalIPV4 gets the EC2 instance's local ipv4 address.

func (*InstanceMetadataClient) GetPublicIPV4 

func (client *InstanceMetadataClient) GetPublicIPV4(ctx context.Context) (string, error)

GetPublicIPV4 gets the EC2 instance's local ipv4 address.

func (*InstanceMetadataClient) GetRegion 

func (client *InstanceMetadataClient) GetRegion(ctx context.Context) (string, error)

GetRegion gets the EC2 instance's region.

func (*InstanceMetadataClient) GetTags 

func (client *InstanceMetadataClient) GetTags(ctx context.Context) (map[string]string, error)

GetTags gets all of the EC2 instance's tags.

func (*InstanceMetadataClient) GetType 

func (client *InstanceMetadataClient) GetType() types.InstanceMetadataType

GetType gets the cloud instance type.

func (*InstanceMetadataClient) IsAvailable 

func (client *InstanceMetadataClient) IsAvailable(ctx context.Context) bool

IsAvailable checks if instance metadata is available.

type InstanceMetadataClientOption 

type InstanceMetadataClientOption func(client *InstanceMetadataClient) error

InstanceMetadataClientOption allows setting options as functional arguments to an InstanceMetadataClient.

func WithIMDSClient 

func WithIMDSClient(client *imds.Client) InstanceMetadataClientOption

WithIMDSClient adds a custom internal imds.Client to an InstanceMetadataClient.

type Policies 

type Policies interface {
	// Upsert creates a new Policy or creates a Policy version if a policy with
	// the same name already exists.
	Upsert(ctx context.Context, policy *Policy) (arn string, err error)
	// Retrieve retrieves a policy and its versions. If the tags list is
	// present, the Policy should have all of them, otherwise an error is
	// returned.
	Retrieve(ctx context.Context, arn string, tags map[string]string) (policy *iam.Policy, policyVersions []*iam.PolicyVersion, err error)
	// Attach attaches a policy with `arn` to the provided `identity`.
	Attach(ctx context.Context, arn string, identity Identity) error
	// AttachBoundary attaches a policy boundary with `arn` to the provided
	// `identity`.
	AttachBoundary(ctx context.Context, arn string, identity Identity) error
}

Policies set of IAM Policy helper functions defined as an interface to make easier for other packages to mock and test with it.

func NewPolicies 

func NewPolicies(partitionID string, accountID string, iamClient iamiface.IAMAPI) Policies

NewPolicies creates new instance of Policies using the provided identity, partitionID and IAM client.

type Policy 

type Policy struct {
	// Name is the policy name.
	Name string
	// Description is the policy description.
	Description string
	// Tags is the policy tags.
	Tags map[string]string
	// PolicyDocument is the IAM policy document.
	Document *PolicyDocument
}

Policy represents an AWS IAM policy.

func NewPolicy 

func NewPolicy(name, description string, tags map[string]string, document *PolicyDocument) *Policy

NewPolicy returns a new AWS IAM Policy.

type PolicyDocument 

type PolicyDocument struct {
	// Version is the policy version.
	Version string `json:"Version"`
	// Statements is a list of the policy statements.
	Statements []*Statement `json:"Statement"`
}

PolicyDocument represents a parsed AWS IAM policy document.

Note that PolicyDocument and its Ensure/Delete methods are not currently goroutine-safe. To create a policy using AWS IAM API, dump the object to JSON format using json.Marshal.

func NewPolicyDocument 

func NewPolicyDocument(statements ...*Statement) *PolicyDocument

NewPolicyDocument returns new empty AWS IAM policy document.

func ParsePolicyDocument 

func ParsePolicyDocument(document string) (*PolicyDocument, error)

ParsePolicyDocument returns parsed AWS IAM policy document.

func PolicyDocumentForExternalAuditStorage 

func PolicyDocumentForExternalAuditStorage(cfg *ExternalAuditStoragePolicyConfig) (*PolicyDocument, error)

PolicyDocumentForExternalAuditStorage returns a PolicyDocument with the necessary IAM permissions for the External Audit Storage feature.

func (*PolicyDocument) Delete 

func (p *PolicyDocument) Delete(effect, action, resource string)

Delete deletes the specified resource action from the policy.

func (*PolicyDocument) Ensure 

func (p *PolicyDocument) Ensure(effect, action, resource string) bool

Ensure ensures that the policy document contains the specified resource action.

Returns true if the resource action was already a part of the policy and false otherwise.

func (*PolicyDocument) EnsureStatements 

func (p *PolicyDocument) EnsureStatements(statements ...*Statement)

EnsureStatements ensures that the policy document contains all resource actions from the provided statements.

The main benefit of using this function (versus appending to p.Statements directly) is to avoid duplications.

func (*PolicyDocument) ForEach 

func (p *PolicyDocument) ForEach(fn func(effect, action, resource string))

ForEach loops through each action and resource of each statement.

func (*PolicyDocument) Marshal 

func (p *PolicyDocument) Marshal() (string, error)

Marshal formats the PolicyDocument in a "friendly" format, which can be presented to end users.

type ResourceTag 

type ResourceTag interface {
	// TODO Go generic does not allow access common fields yet. List all types
	//  here and use a type switch for now.
	rdsTypesV2.Tag |
		ec2TypesV2.Tag |
		*rds.Tag |
		*redshift.Tag |
		*elasticache.Tag |
		*memorydb.Tag |
		*redshiftserverless.Tag |
		*opensearchservice.Tag
}

ResourceTag is a generic interface that represents an AWS resource tag.

type Role 

type Role struct {
	// contains filtered or unexported fields
}

Role represents an AWS IAM role identity.

func (Role) GetAccountID 

func (i Role) GetAccountID() string

GetAccountID returns the identity account ID.

func (Role) GetName 

func (i Role) GetName() string

GetName returns the identity name.

func (Role) GetPartition 

func (i Role) GetPartition() string

GetPartition returns the identity AWS partition.

func (Role) GetType 

func (i Role) GetType() string

GetType returns the identity resource type.

func (Role) String 

func (i Role) String() string

String returns the AWS identity ARN.

type SettableTag 

type SettableTag[T any] interface {
	SetKey(key string) *T
	SetValue(Value string) *T
	*T
}

SettableTag is a generic interface that represents an AWS resource tag with SetKey and SetValue functions.

type SliceOrString 

type SliceOrString []string

SliceOrString defines a type that can be either a single string or a slice.

For example, these types can be either a single string or a slice: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

func (SliceOrString) MarshalJSON 

func (s SliceOrString) MarshalJSON() ([]byte, error)

MarshalJSON implements json.Marshaler.

func (*SliceOrString) UnmarshalJSON 

func (s *SliceOrString) UnmarshalJSON(bytes []byte) error

UnmarshalJSON implements json.Unmarshaller.

type Statement 

type Statement struct {
	// Effect is the statement effect such as Allow or Deny.
	Effect string `json:"Effect"`
	// Actions is a list of actions.
	Actions SliceOrString `json:"Action"`
	// Resources is a list of resources.
	Resources SliceOrString `json:"Resource,omitempty"`
	// Principals is a list of principals.
	Principals map[string]SliceOrString `json:"Principal,omitempty"`
	// Conditions is a list of conditions that must be satisfied for the action to be allowed.
	// Example:
	// Condition:
	//    StringEquals:
	//        "proxy.example.com:aud": "discover.teleport"
	Conditions map[string]map[string]SliceOrString `json:"Condition,omitempty"`
	// StatementID is an optional identifier for the statement.
	StatementID string `json:"Sid,omitempty"`
}

Statement is a single AWS IAM policy statement.

func StatementAccessGraphAWSSync 

func StatementAccessGraphAWSSync() *Statement

StatementAccessGraphAWSSync returns the statement that allows configuring the AWS Sync feature.

func StatementForAWSOIDCRoleTrustRelationship 

func StatementForAWSOIDCRoleTrustRelationship(accountID, providerURL string, audiences []string) *Statement

StatementForAWSOIDCRoleTrustRelationship returns the Trust Relationship to allow the OpenID Connect Provider set up during the AWS OIDC Onboarding to assume this Role.

func StatementForEC2InstanceConnectEndpoint 

func StatementForEC2InstanceConnectEndpoint() *Statement

StatementForEC2InstanceConnectEndpoint returns the statement that allows the flow for accessing an EC2 instance using its private IP, using EC2 Instance Connect Endpoint.

func StatementForECSManageService 

func StatementForECSManageService() *Statement

StatementForECSManageService returns the statement that allows managing the ECS Service deployed by DeployService (AWS OIDC Integration).

func StatementForECSTaskRoleTrustRelationships 

func StatementForECSTaskRoleTrustRelationships() *Statement

StatementForECSTaskRoleTrustRelationships returns the Trust Relationship to allow the ECS Tasks service to. It allows the usage of this Role by the ECS Tasks service.

func StatementForEKSAccess 

func StatementForEKSAccess() *Statement

StatementForEKSAccess returns the statement that allows enrolling of EKS clusters into Teleport.

func StatementForIAMEditRolePolicy 

func StatementForIAMEditRolePolicy(resources ...string) *Statement

StatementForIAMEditRolePolicy returns a IAM Policy Statement which allows editting Role Policy of the resources.

func StatementForIAMEditUserPolicy 

func StatementForIAMEditUserPolicy(resources ...string) *Statement

StatementForIAMEditUserPolicy returns a IAM Policy Statement which allows editting User Policy of the resources.

func StatementForIAMPassRole 

func StatementForIAMPassRole(targetRole string) *Statement

StatementForIAMPassRole returns a statement that allows to iam:PassRole the target role. Usage example: when setting up the TaskRole for the ECS Task. https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html#specify-task-iam-roles

func StatementForListRDSDatabases 

func StatementForListRDSDatabases() *Statement

StatementForListRDSDatabases returns the statement that allows listing RDS DB Clusters and Instances.

func StatementForRDSDBConnect 

func StatementForRDSDBConnect() *Statement

StatementForRDSDBConnect returns a statement that allows the `rds-db:connect` for all RDS DBs.

func StatementForWritingLogs 

func StatementForWritingLogs() *Statement

StatementForWritingLogs returns the statement that allows the writing logs to CloudWatch. This is used by the DeployService (ECS Service) to write teleport logs. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html

type Unknown 

type Unknown struct {
	// contains filtered or unexported fields
}

Unknown represents an unknown/unsupported AWS IAM identity.

func (Unknown) GetAccountID 

func (i Unknown) GetAccountID() string

GetAccountID returns the identity account ID.

func (Unknown) GetName 

func (i Unknown) GetName() string

GetName returns the identity name.

func (Unknown) GetPartition 

func (i Unknown) GetPartition() string

GetPartition returns the identity AWS partition.

func (Unknown) GetType 

func (i Unknown) GetType() string

GetType returns the identity resource type.

func (Unknown) String 

func (i Unknown) String() string

String returns the AWS identity ARN.

type User 

type User struct {
	// contains filtered or unexported fields
}

User represents an AWS IAM user identity.

func (User) GetAccountID 

func (i User) GetAccountID() string

GetAccountID returns the identity account ID.

func (User) GetName 

func (i User) GetName() string

GetName returns the identity name.

func (User) GetPartition 

func (i User) GetPartition() string

GetPartition returns the identity AWS partition.

func (User) GetType 

func (i User) GetType() string

GetType returns the identity resource type.

func (User) String 

func (i User) String() string

String returns the AWS identity ARN.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.